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We study a general family of quantum protocols for position verification and present a new class of 
attacks based on the Clifford hierarchy. These attacks outperform current strategies based on port- 
based teleportation for a large class of practical protocols. We then introduce the Interleaved Product 
protocol, a new scheme for position verification involving only the preparation and measurement of 
single-qubit states for which the best available attacks have a complexity exponential in the number 
of classical bits transmitted. 


I. INTRODUCTION 

The goal of position-based cryptography is for an hon¬ 
est party to use her spatio-temporal position as her only 
credentials in a cryptographic protocol. In particular, Po¬ 
sition verification aims at verifying that a certain party, 
called the prover, holds a given position in space-time. 
Such a protocol typically goes as follows: a set of verifiers 
will coordinate and send some challenge to the prover, 
and it is expected that only someone sitting in the sup¬ 
posed position of the prover can successfully pass the 
challenge. 

Position verification protocols have been studied in 
the classical setting where the challenges are described 
by classical information, and it was shown in [1] that 
information-theoretic security could never be obtained 
in the standard (Vanilla) model. More precisely, it is al¬ 
ways possible for a coalition of adversaries to convince 
the verifiers, even if none of the adversaries sits in the 
spatio-temporal region where the prover is supposed to 
be. Note, however, that the same paper gives secure 
constructions in the Bounded-Retrieval Model, which is 
a variant of the Bounded-Storage Model [2]. A possi¬ 
ble way-out of this no-go theorem would be to consider 
a quantum setting. Indeed, several classical tasks which 
are known to be impossible in the classical domain can 
be achieved in the quantum domain: this is the case for 
instance of secret key expansion [3], randomness amplifi¬ 
cation |3] or randomness expansion |^. 

Position-based cryptography in the quantum setting 
was first investigated under the name of quantum tag¬ 
ging by Kent around 2002, but only appeared in the lit¬ 
erature much later in |B] where attacks against possible 
quantum constructions are described. Malaney indepen¬ 
dently introduced a quantum position verification scheme 
in |7]. An example of a quantum protocol for position 
verification is one with two verifiers: one sending a qubit 
\(f)) = U\x) with X G {0,1} and C some unitary, and the 
second verifier sending a classical description of the uni¬ 
tary [/. The task for the prover is then to measure the 
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qubit in the basis {C/|0), C/|l)} and to return the classi¬ 
cal value of X to both provers. There are many variations 
around this protocol, and the intuition for the possible 
security of such protocols is that only someone sitting in 
P can obtain both U and perform the required mea¬ 
surement, and return the correct value x on time. In [S], 
Lau and Lo extended the attack from [B] to show that 
the above intuition is incorrect if the unitary {7 is a Clif¬ 
ford gate. In that case, a couple of cheaters, Alice lying 
between Vq s-nd P, and Bob lying between Vi and P, can 
always fool the verifiers provided that they share a small 
number of EPR pairs. This result was later generalized 
by Buhrman et al. who showed that such an attack 
always exists provided that the coalition of cheaters share 
sufficiently many EPR pairs: no position-based quantum 
cryptographic protocol can display information-theoretic 
security. 

Two general families of attacks against such position- 
verification protocols have been considered in the litera¬ 
ture so far, both based on quantum teleportation. The 
first one is inspired by Vaidman’s protocol for nonlocal 
computation m and consists in the cheaters teleport¬ 
ing some quantum state back and forth, with the num¬ 
ber of exchanges depending on the success probability 
of the attack. If the position-based protocol involves n 
qubits, the resource (number of EPR pairs) required for 
this type of attacks to succeed typically scales double- 
exponentially with n [S]. Another class of attacks uses 
port-based teleportation m and requires only exponen¬ 
tial entanglement to succeed m- If one could prove that 
such an attack was indeed optimal, one would obtain a 
secure position-based protocol for all practical purposes. 

A different class of position-based verification protocols 
based on the nonlocal computation of Boolean functions 
was introduced by Buhrman et al. in m, for which they 
suggested a new type of attacks based on the Garden- 
hose complexity of the Boolean function. They showed in 
particular that finding an explicit Boolean function with 
polynomial circuit complexity (so that the honest prover 
can compute it) but exponential attack complexity in the 
garden-hose model is at least as difficult as separating 
the classes of languages P and L, corresponding respec¬ 
tively to decision problems decidable in polynomial time 
or logarithmic space. This result was recently extended 
by Klauck and Podder who showed that explicit Boolean 
functions on k variables with Garden-hose complexity 
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will be hard to obtain [T3]. These results give 
us little hope of finding an explicit position-verification 
based on the nonlocal computation of Boolean functions 
both practical and secure. 

Establishing lower bounds for the amount of entan¬ 
glement shared by the coalition in order to successfully 
attack the protocol is a non trivial task. Current lower 
bounds are linear in the security parameter of the pro¬ 
tocol m, da. Recently, a tight (linear) lower bound 
was proved for the BB84-based protocol where the uni¬ 
tary U is either the identity or a Hadamard gate, in a 
model where the cheaters share an initial entangled state 
but are not allowed to exchange quantum communication 
during the protocol [T^. It was also shown by Unruh that 
security of some position-verification protocols could be 
established in the quantum random oracle model, that is 
if one has access to one-way functions HU. 

Recently, Qi and Siopsis initiated the study of imper¬ 
fections in quantum position-based schemes, in partic¬ 
ular in the presence of losses in the quantum channel 
between the verifiers and the prover |18| . Indeed, in or¬ 
der to achieve practical distances between the verifiers 
and the prover it is necessary for the the protocol to be 
reasonably loss-tolerant. 

In this paper, we investigate the family of protocols de¬ 
scribed above, where the state \(j)) and the unitary U is 
chosen from a family of n-qubit gates. We present some 
new attacks against such protocols that might become 
particularly efficient when the position-verification proto¬ 
col is practical for the honest prover. We then introduce a 
new practical position-verification scheme involving only 
single-qubit operations, for which the best known attacks 
require an exponential amount of entanglement. 


II. A GENERAL FAMILY OF 
POSITION-VERIFICATION PROTOCOLS 

For simplicity, we mainly focus on one-dimensional 
protocols where two verifiers Vq and Vi aim at verify¬ 
ing the position of a prover P located between them. We 
note that complications occur when dealing with more 
realistic 2 or 3-dimensional protocols (see for instance 
ini). but explicitly avoid these questions here. More¬ 
over, without loss of generality, we can always assume 
that the position P of the prover is exactly at equal dis¬ 
tance to Vo Vi and that it takes one unit of time for 
light to travel from Vq (or Vi) to P. 

Roughly speaking, a general position-verification pro¬ 
tocol consists of three distinct phases: 

• the preparation phase, where Vq and Vi prepare a 
challenge for the prover. The challenge typically 
involves a quantum state (for instance an n-qubit 
state, or n single-qubit states in the protocols con¬ 
sidered in the present paper) as well as some clas¬ 
sical information. The challenge is always given to 
the prover in a distributed fashion, one part coming 
from Vq, the other part coming from Vi. 


• the execution phase, during which Vq and Vi send 
their respective share of the challenge towards the 
prover P, who solves the challenge she is given, and 
returns her answer to the verifiers. 


• the verification phase, during which the verifiers 
check that (i) the answer is correct, and that (ii) 
they received it not more than two time units af¬ 
ter the beginning of the protocol. This assumes 
the idealized scenario where all communications are 
performed at the speed of light, and local compu¬ 
tation take negligible time. Even in that idealized 
scenario, it makes sense to allow the honest prover 
to err a small fraction of the time. For this reason, 
the provers accept the answer if it meets some tol¬ 
erance threshold rj. In fact, one should distinguish 
between two sources of imperfections, losses and 
noises, and the tolerance threshold should there¬ 
fore specify the amount of losses (i.e. no answer 
from the prover) and noise (i.e. incorrect answer) 
that can be tolerated. 


In this paper, we will first focus on an important fam¬ 
ily of position verification protocols where Vq sends an 
n-qubit state and Vi sends the classical description of a 
measurement basis, and the prover is required to measure 
the state in the correct measurement basis and to com¬ 
municate the outcome to both verifiers. These protocols 
have been widely discussed in the literature for instance 
in or [8] . In Section IV we will then introduce the In¬ 
terleaved Product protocol where the description of mea¬ 
surement basis is transmitted to the prover as a product 
of a large number of single-qubit unitaries J)[^ UiVi, where 
the unitaries {ui} and {ui} are respectively described to 
the prover by Vq and Vi. This scheme appears to be rea¬ 
sonably new, although similar ideas, with more verifiers, 
were already considered in [S]. We note that the inter¬ 
leaved group product (i.e. J([ UiVi where the {ui} and {u^}) 
are described by different verifiers) has been considered 
in the communication complexity literature, for instance 
in a recent paper by Gowers and Viola m- 

Before defining these protocols more formally, let us 
comment on some assumptions we make here. In this 
paper, our main goal is to present some natural position 
verification protocols and to study general classes of at¬ 
tacks that can be carried out by coalitions of cheaters. 
While we try to be as general as possible, we think it is 
sensible to make some specific choices in order to sim¬ 
plify the analysis. For instance, we restrict our protocols 
to using qubit states, and more importantly, we consider 
one-dimensional protocols with only 2 verifiers. Most of 
our analysis would carry through to arbitrary qudit pro¬ 
tocols involving many verifiers. We also decided to leave 
aside all the problems related to timing in order to focus 
on the genuinely quantum part of the procedure. This 
means that we consider that all communication (classical 
or quantum) is performed at the speed of light, and that 
all computation is instantaneous. These are obviously 
unrealistic assumptions, but dealing with more realistic 
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ones can be done independently as the analysis we pro¬ 
vide here (see for instance the work of Kent (2^). The 
main source of imperfection in a position verification pro¬ 
tocol is the quantum channel between the verifiers and 
the prover, which can never be assumed to be perfect. 
In general, the channel is both lossy and noisy, which is 
why even an ideal prover cannot possibly pass the test 
perfectly. On the other hand, it makes sense to assume 
that the classical channels are essentially perfect (lossless 
and noiseless). 


A. Formal description of the position-verification 
protocols 

Following the literature, we will find it useful to de¬ 
scribe the protocol in terms of distributed collaborative 
games, where two players, named Alice and Bob, inde¬ 
pendently receive some query from some referee, are al¬ 
lowed a single round of (bipartite) communication and 
need to output some answer. In the honest prover case, 
Alice and Bob hold the same spatial position and the 
prover has access to both their inputs. In the cheating 
coalition case, Alice and Bob sit respectively between P 
and Vo or between P and Vi and are only allowed one 
simultaneous round of communication. The main result 
of [S] is that if Alice and Bob can win the game with ar¬ 
bitrarily many rounds of communication, then they can 
also win it with a single simultaneous round, provided 
that they are sufficiently entangled. 

The main family of protocols we will consider corre¬ 
sponding to games denoted by G(n,U,r]) where n refers 
to the number of qubits involved in the protocol, lA is & 
set of u-qubit unitaries, and 77 is the tolerance threshold. 
We will also write G{n, k, rj) when the set U is & subset 
of Cfc, the fc*'' level of the Clifford hierarchy (see the ap¬ 
pendix for a formal definition of the Clifford Hierarchy). 
The protocol G{n,U,r]) consists of the following phases: 

Preparation Phase: 

1. The verifier Vb chooses an n-qubit unitary operator 
U Gr U and an n-bit string x = (xi,... ,x„) Gr 
{0,1}". Vb prepares \'il)) = U\x), where |x) = 
0 ”= -y \xi) is a computational basis state. 

2. Vb sends x and U to Vi through some secure au¬ 
thenticated classical channel. 


Execution Phase: 

1 . Vb sends the n qubit quantum state \’4>) to prover 
P at time 0. Vi sends the unitary U to P at time 

T = 0. 

2. The prover P receives both \ijj) and U at time r = 1. 


3. After receiving I'll)) and U, the honest prover P com¬ 
putes U^ip) and measures it in computational ba¬ 
sis, obtaining some outcome string y. P then sends 
back y to both Vb and Vi. 

Verification Phase: 

1. The prover P wins the game if Vb and Vi receive 
the same string y at time r = 2, and if the Ham¬ 
ming distance between x and y is less than •qn\ 
dnix^y) < y-n. 

In the literature, this family is often considered in the 
single qubit case, for instance with lA = {id, 7?} where 
p[ is the Hadamard gate Biniiis]. Then it makes sense 
to repeat the protocol n times in order to build some 
statistics. 

In our case, we aim at giving a more general picture 
of the possible attacks working against this scheme and 
consider n-qubit gates. For such protocols, we will show 
that there exists a trade-off between the complexity of the 
protocol for the honest prover and the resources needed 
to break the protocol for a coalition of cheaters. 

B. Attacks strategies against position verification 
protocols 

As was proved in [5], there always exists a working at¬ 
tack strategy against any position verification protocol 
that allows a coalition of adversaries to perfectly im¬ 
personate the honest prover. In the case of the one¬ 
dimensional protocols considered in this paper, such a 
coalition consists without loss of generality of 2 players, 
Alice (A) and Bob (H), with Alice lying on the line be¬ 
tween Vb and P, and Bob lying between Vi and P. 

The attack strategies we will consider have the follow¬ 
ing structure: 

1. Alice and Bob initially share a (possibly entangled) 
initial bipartite state pab of dimension to be spec¬ 
ified later. Typically, pab consists of many EPR 
pairs. 

2 . Alice intercepts the communication from Vb, 
namely a quantum register pc (where G stands for 
challenge), as well as some classical information. 

3. Bob intercepts the classical communication from 
Vi. 

4. Depending on the classical information they re¬ 
ceived, Alice and Bob perform respectively a quan¬ 
tum measurement on their respective registers, AG 
and B. 

5. They forward all the classical information as well as 
the outcomes of the measurement to their partner. 

6 . Finally, upon receiving this information, they pre¬ 
pare and send their response to the verifiers. 
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The main question of interest is to decide how the di¬ 
mension of pab, and more particularly the entanglement 
of this state, scales with the parameters of the position 
verification protocol. 

This scenario allows us to see the cheating procedure 
as a distributed task, or game, where Alice and Bob are 
asked questions (possibly consisting of a quantum state), 
are allowed a single round of communication and are re¬ 
quired to output some specific answer. They win the 
game if they fool the verifiers. 

We can interpret the family G{n,U,r]) in these terms: 

Definition 1. The distributed game G{n,U,r]) is defined 
as follows: 

• Input: If:) = U\x) for Alice, U GU for Bob 

• Output: a G {0,1}" for Alice, b G {0,1}" for Bob 

• Winning condition: a = b and c?//(a,x) < gn 

We now list a few questions of interest. In the perfect 
setting (ry = 0), how many EPR pairs do Alice and Bob 
need to share to carry out a successful attack with rea¬ 
sonable probability? One of the main open questions of 
the field is to find an explicit protocol that requires an 
exponential number of EPR pairs to break. 

Second, if ?] > 0, this opens the door to new attacks, 
even for non entangled cheaters. A possible strategy con¬ 
sists in Alice measuring the state in a random basis and 
forwarding her measurement outcome to Bob. Ideally, it 
would be interesting to understand how the amount of 
entanglement required for cheating behaves as a function 
of rj. 

We should also comment on the definition of a success¬ 
ful attack. If the goal is to design a secure protocol, then 
Alice and Bob should not be able to cheat, even with 
a very small probability. Indeed, even if the cheating 
strategy only succeeds with probability 10“^ or 10“^, it 
is difficult to claim that the protocol is secure. Ideally, we 
want this cheating probability to be exponentially small 
in n. In this paper, however, we choose for simplicity to 
focus on attacks that work with high probability (close 
to 1). 

III. ATTACKS FOR g = 0 BASED ON THE 
CLIFFORD HIERARCHY 

In this section, we first study attack techniques based 
on the Clifford hierarchy that can be applied by cheaters 
against the family of protocols G{n,U,0) in the case 
where the value of the tolerance threshold g is set to 0. 
The definition of the Clifford hierarchy is given in the ap¬ 
pendix. Let us simply recall here that the first two levels 
C'i(n) and (72 (n) of the hierarchy correspond respectively 
to the Pauli and the Clifford groups. 

In particular, we will give explicit attacks that may be 
efficient in the following practically relevant cases: (1) if 
G C Gk{n), that is if the unitaries all belong to some low 


level k of the Clifford hierarchy, (2) if the unitaries in U 
can all be implemented with a quantum circuit with a 
fixed layout. 

We note that these two cases correspond to protocols 
that appear to be practical for a honest prover. Indeed, 
gates in a low level of the Clifford Hierarchy are much 
easier to implement fault tolerantly than arbitrary gates. 
Moreover, if the quantum states are photonic states, and 
the honest prover uses integrated photonics to implement 
the unitaries vcihl, & fairly reasonable choice in practice, 
then it makes sense to fix some layout, that is an optical 
circuit consisting of single or 2-qubit gates for instance, 
and to obtain the family lA by changing the value of the 
single and 2-qubit gates. 

A. A general attack for U = Ck 

Let us first define the Clifford complexity of a family 
U of unitaries. 

Definition 2. Let U be a set of n-qubit unitaries. We 
define the Clifford complexity of the set lA, denoted by 
CC[fi], to be the minimum number of EPR pairs that 
Alice and Bob must share to perfectly win the game 
G{n,U,B). 

It is easy to see that if the unitary 17 is a Pauli matrix, 
then Alice and Bob can win the game G{n,k = 1,0) 
without sharing any entanglement because \'fi) is also a 
basis state \y). The two strings x and y coincide on the 
qubits for which U is the identity or a Z Pauli matrix, 
and differ for the other qubits. Therefore, Alice simply 
needs to measure \fj) in the computational basis and to 
forward her results to Bob, who can recover the correct 
string X using his knowledge of U. This shows that 

CC[(7i(n)] = 0. 

If the unitary U belongs to the Clifford group G 2 , then 
Alice and Bob can again win the game perfectly if they 
share n EPR pairs. The idea is for Alice to teleport the 
state \if) to Bob using the n EPR pairs. Bob obtains 
the state a\if) where cr G Gi{n) is a Pauli correction. 
Applying the unitary to his state. Bob obtains 

CVl'i/') = U^aU\x), 

where U^crU G Gi in). This means that Bob simply needs 
to measure this state in the computational basis, and 
forward his result to Alice. Once they know both the 
value of a and the result of the measurement, both Alice 
and Bob are able to recover the correct value of the string 
x and they win the game. This proves that 

CC[(72(n)] < n. 

If the unitary U to be implemented belongs to the 
fc**' level of the Clifford hierarchy, then Alice and Bob 
can apply an iterative procedure which is described in 
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Algorithm This algorithm is similar to the protocol 
of Vaidman m for instantaneously measuring nonlo¬ 
cal variables and to the cheating strategy of [S]. The 
main difference lies in the termination condition: here, 


the algorithm terminates after a deterministic number of 
rounds that depends on the considered level of the Clif¬ 
ford Hierarchy. 


Input: 1^) = U\x) received by Alice, U = Uq £ Ck received by Bob 
Output: X £ {0,1}” 

1 Alice teleports the state \tj}) to B using n EPR pairs and obtains a string describing ctai G Pn- Bob obtains 
the state cr^JV’) = crAiU\x). 

2 Bob applies W to his state and teleports the outcome aAiU\x) to Alice, obtaining some classical 
description of (JBi £ Vn- Alice obtains the state Ux\x) where Ui = aB^U^crA^U £ Ck-i- 


for j = 1 to k — 3 do 


3 


Alice knows the value of aAi, • ■ •, cta^ (among the 4-1” possibilities). Alice and Bob share 
4” X EPR pairs devoted to Round j, corresponding to 4" sets of n x ePR pairs, one 

set for each possible value of aAy Alice teleports back each of the n-qubit states (of the form 

Uj\x) for some unitary Uj £ Ck-j(n)) she received from Bob using the “teleportation channel” indexed 
by CTAj- In that teleportation channel. Bob obtains the state aAj+iUj\x), applies Uj to that state, 
before teleporting it back to Alice in the corresponding teleportation channel. Alice receives Uj+i\x) 


with Uj+i = (Tb^+i 


UjAj+iUj £ Ck-{j+i)- 


eud 


4 Alice uses a final round of teleportation for the 4*^^“^^" n-qubit states, and obtains a classical description of 

5 Alice sends the classical value of ctai, ■ ■ ■, o'a^_i to Bob. 

6 Bob applies to each n-qubit state, measures in the computational basis, and forwards the classical 
output, as well as the value of ob^ , ■ • ■, o'Ak-^ Alice. 

7 Both Alice and Bob compute the value of x. 


Algorithui 1: Cheating strategy for G(n, Ck{n), 1) based on the Clifford hierarchy 


Leuiuia 3. If Alice and Bob apply Algorithm then 
they win the game. 

Proof. To prove the correctness of the algorithm, we need 
to show that Uj £ Ck-j and that Bob can perform fjj 
since he knows the value of Uj. The first point is shown 
by recurrence: Uq = U £ Ck and if Uj £ Ck-j, then 
Uj+i = aBj+iUjAjj.iUj £ Ck-j-i. Moreover, the value 
of Uj is a function of Uj-i, aAj and a b^ ■ For the quantum 
channel labeled by cta , Bob is therefore able to apply 

u]. 

The existence of the attack strategy described in Al¬ 
gorithm [2 allows us to obtain the following upper bound 
for the Clifford complexity of the set Ck{n). 

Theorem 4. 

CC[Gfc(n)] < 4n4"(''-2). (1) 

Proof. The loop at Step 3 in Algorithm can be viewed 
as a branching tree with depth k — 2 (see Fig. [^. This 
tree is regular with each internal node having 4" children 


(corresponding to the 4" possible values for Alice’s Bell 
measurement result). Each layer of the tree corresponds 
to a round trip between Alice and Bob, that is 2n EPR 
pairs. Computing the complexity of the attack there¬ 
fore amounts at counting the number of branches in the 
tree. For a tree of depth k — 2, the number of branches 
is Moreover, the last step of the protocol con¬ 

sists in a quantum teleportation of n x 4"^^“^) qubits 
from Alice to Bob. In total, the number of EPR pairs 
used in the protocols is therefore 

k-2 

2n y 4^" -k < 4 n 4 ”('=- 2 ) ^ 


In the following, we denote by Tree[G/c(n)] the number 
of EPR pairs required to perform the attack described 
by Algorithm on the set of unitaries Ck {n). Theorem 
[^simply says that 

CC[Gfc(n)] < Tree[Gfc(n)] < 


( 2 ) 
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Figure 1: Pictorial view of Step 3 of Algorithm Each level of the tree corresponds to a round trip between Alice and Bob. 
Each of the nodes correspond to a quantum state. In particular, the root node is the initial quantum state Uo\x) received by 
Alice, and the path in red dash (determined by the successive outputs of the Bell measurements) goes along the various states 
held by Alice at different steps of the protocol, namely U\\x ),..., Uk- 2 \x). 


B. Attacks when U correspond to quantum circuits 
with a fixed layout 

The attack corresponding to Algorithm is general 
and works for any n-qubit gate in some given level of the 
Clifford hierarchy. In the context of position verification 
protocols, however, the interesting set of gates U from 
which the unitary to be implemented is chosen, is often 
more restricted. Indeed, if the protocol is to be practi¬ 
cal, then a honest prover should be able to implement 
the unitaries reasonably efficiently. For this reason, it is 
interesting to consider unitaries described by quantum 
circuits. 

In a practical scenario, where the quantum states given 
to Alice are photonic qubits, it makes sense to consider 
photonic implementations for the quantum circuit, and 
therefore to consider unitaries with a fixed layout for 
the quantum circuit, and adjustable single and two-qubit 
gates. This is typically the case for experimental imple¬ 
mentations based on integrated photonics m- 

For this reason, the set U of unitaries considered could 


be described by a fixed layout, and a specific unitary 
U GU is then described by giving the value of each single 
or two-qubit gate in the layout. For a quantum circuit 
based on linear optics, the layout C corresponds to the 
position of the phase-shifters and beamsplitters, and the 
unitary is given by the specific values of the phase-shifts 
and transmission of the beamsplitters. 

We will be interested in the complexity of attacks for 
such schemes as a function of the depth and width of 
such quantum circuits. 

Definition 5. Let C he the layout for an n-qubit quantum 
circuit, consisting of adjustable elementary gates. The set 
lAc of n-qubit unitaries corresponds to the set of unitaries 
which can be implemented with a quantum circuit with 
layout C. 

Let us prove elementary results about the composition 
of circuit layouts. 

Lemma 6 (Parallel circuits). Let Ci,C 2 be two layouts 
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for quantum circuits. Then 

CC[Uc,\\^c,] < CC[Uc,] + CG[Uc,], ( 3 ) 

where £i ||£2 is the layout corresponding to putting Ci 
and C 2 in parallel. 

We note that the quantum unitary corresponding to 
two circuits in parallel is simply the tensor product of 
the unitaries: Uci\\C 2 = Uci ® Uc 2 and therefore 

^Ci||£2 C Uct ®Uc2- 

Proof. Consider any gate t/i 0 C /2 € Uci\\c 2 - Since both 
Alice and Bob know the decomposition C/ 10 C/ 2 , they can 
implement the optimal attack for Ui and for C /2 indepen¬ 
dently, since these unitaries act on distinct sets of qubits. 
The complexity of the overall attack is simply the sum 
of the complexities of implementing Ui and C/ 2 , which is 
upper bounded by CC^a] + CC[C/c 2 ]- 

Lemma 7 (Concatenated circuits). Let Ci,C 2 be two 
layouts for quantum circuits. Then 

GC[Uc,C 2] < Tvee[Uc,]Tvee[Uc2], (4) 

where C 1 C 2 is the layout corresponding to concatenating 
the layouts Ci and C 2 . 

Proof. The strategy consists in first applying the strat¬ 
egy corresponding to Algorithm for unitary Ui G Uci- 
Then, at the last round, instead of measuring the state. 
Bob continues the teleportation protocol in order to im¬ 
plement C /2 S Uc 2 - There are at most Tree[C/£j nodes 
in the tree corresponding to the implementation of C/i, 
and it is sufficient to apply the protocol to each of the 
leaves in order to implement to concatenation of Ui and 
C/ 2 . Therefore, Tree[C//cjTree[C//£ 2 ] EPR pairs are suffi¬ 
cient to implement the total unitary. □ 

From Lemmas and it is possible to compute an 
upper bound for the Clifford complexity of any layout, 
as a function of its depth and size. 

Theorem 8. Let C be the layout of an n-qubit quantum 
circuit of depth d where each layer consists of gates in 
Cfc.. Then 

CC[Uc] < ^ ( 5 ) 

Proof. The layout C can be decomposed into d layers: 
C = C 1 C 2 ■ ■ ■ Cd- By applying Lemmarecursively, one 
obtains that 

d 

CC[Uc] < l[TTee[Uc^]. 

i=l 

Combining this with the result of Theorem one finally 
obtains 

d 

GC[Uc] < 

i=l 

which establishes the result. □ 


We note that this result can be slightly improved by 
using Lemma together with Theorem for the last 
layer. Indeed, if the last layer only consists of 1 or 2- 
qubit gates, then it can be implemented with at most 
n X (4n) X 4^*^*“^^ EPR pairs since the layer can be seen 
as at most n parallel circuits acting on at most 2 qubits 
each. 

We conclude this section with an important remark, 
which was already made in m- If the value of p is too 
large, then there always exists a winning strategy for non- 
entangled cheaters. For the protocols considered above, 
rj = 1/2 is always achievable by a simple random guessing 
strategy: Alice and Bob simply agree on a random string 
and return it to the verifiers. For specific protocols where 
the family U displays some structure, better attacks are 
available. For instance, in the case of the BB84 scheme, 
measuring in the Breidbart basis allows the cheaters to 
win if ?7 > 1 — cos^(7r/8) « 0.15. 

IV. THE INTERLEAVED PRODUCT 
PROTOCOL 

In this section, we introduce a new scheme for position 
verification based on the interleaved group product. This 
scheme depends on two main parameters: the number n 
of single-qubit states used and a parameter t quantifying 
the size of the product. More formally, the Lnterleaved 
Product protocol denoted by Gip(n, t, ?7err,’floss); goes as 
follows: 

Preparation Phase: 

1. Vq chooses a random bit string x Gr {0,1}" 
and and a single-qubit unitary U chosen from the 
Haar measure on unitary group U{2). Vq also 
chooses 2t — 1 additional independent unitaries 
ui,... ,Ut,vi,..., Vt -1 from the Haar measure on 
U{2) and computes Vt = ulvl_i ... vlu\U, thus en¬ 
suring that U = Jli^i ’’iU- Verifier Vq then informs 
Vi of these choices thanks to a secure classical chan¬ 
nel. 

2. Vq prepares the n-qubit state \ijj) = C/®"|a;) , ap¬ 
plying the same unitary U to all the qubits of |a;). 

Execution Phase: 

1. At time t = 0, Vq sends the state \ijj) as well as the 
classical description of (ui,...,Mt) to the prover, 
and Vi sends the classical description of (ui,..., Ut) 
to P. 

2. At time t = 1, the prover receives {ip), computes 
U — UiVi, applies (t//)®" to \tp) and measures 
the resulting state in the computational basis, ob¬ 
taining some outcome y G (0,0,1}", which is sent 
to both Vq and V}. Here the symbol 0 refers to an 
empty measurement result. 


Verification Phase: 

1. The prover P wins the game if Vq and Vi both 
receive an identical string y at time t = 2, if the 
number of errors is less than ?7err^ and the number 
of empty results 0 is less than ryioss^- 

Interestingly for this protocol, the verifiers only need 
to prepare arbitrary single-qubit states and the honest 
prover is simply required to measure a qubit in a given 
basis, which is quite practical. We note that a similar 
family of protocols was considered in jH|, but with more 
verifiers, which made the protocol less practical. Here we 
make the choice that the same unitary U is applied to all 
the qubits. A variant of the protocol would be to send 
n successive challenges to the prover, with n different 
choices for the unitary. 

The main feature of this protocol is that the value of 
the unitary U that defines the measurement basis is de¬ 
scribed by a product U = Yll=i which is communi¬ 
cated to the prover in a distributed fashion. Intuitively, 
if a coalition of cheaters tries to break the protocol, it 
seems that they need to follow a back-and-forth strategy 
to take care of each of the unitaries, one at the time. As 
we will see in the next section, this leads to attacks with a 
complexity exponential in the parameter t. On the other 
hand, the honest prover simply needs to compute the 2t- 
fold product of 2 x 2 matrices, which takes time linear in 
t. 

In fact, for a practical implementation, each of the 2t 
unitaries should be described with a given (finite) level 
of accuracy, meaning that describing a unitary is done 
with a constant number of bits. We ignore this subtlety 
in the present paper. 


V. ATTACK STRATEGIES FOR THE 
INTERLEAVED-PRODUCT PROTOCOL 

By construction, the Interleaved-Product protocol is 
immune to the attacks based on the Clifford hierarchy: 
this is simply because all the gates are chosen from the 
Haar measure and therefore do not belong to any low 
level of the Clifford hierarchy. Moreover, the product 
structure enforces a large depth (of order 2t which can 
be taken as arbitrarily large in practice) for the quantum 
circuit. Note that in the proposal of |S], neither of these 
conditions was enforced because t corresponded to the 
number of verifiers (which should remain quite small for 
practical protocols) and all the gates belong to some low 
level of the Clifford hierarchy. 

There exist, however, some attacks working in the 
regime r]g.„ > 0, which we investigate now. Recall that 
we consider here the lossless scenario where the prover 
is required to give a bit value 0 or 1 for each qubit. 
The first strategy uses port-based teleportation over 2t 
rounds. The second strategy we will consider relies on 
the Solovay-Kitaev theorem for approximating arbitrary 


gates with gates in a low level of the Clifford hierar¬ 
chy, for which the attack of Algorithm can be applied. 
Both attacks lead to the same complexity and require 
20 (iiog(i/»?err)) EPR pairs. Both strategies work in the 
lossless case rjioss = 0. 

We end this section with a discussion of possible at¬ 
tack strategies for non-entangled cheaters, which works 
if TJerr + ??loss/4 > 1/4. 


A. Attack based on Port-based teleportation 


The attack proceeds as follows: 

• Alice applies the unitary u\ to each of her n qubits 
and uses mi EPR pairs to teleport each qubit to 
Bob. This consumes a total of Mi = min EPR 
pairs. 

• Bob applies the unitary v\ to all of his qubits, and 
uses m 2 EPR pairs to teleport each one back to 
Alice. This consumes a total of M 2 = m 2 Mi EPR 
pairs. 


• This process is repeated for 2t rounds, after which 
the unitary I/'l’ has been applied to all the qubits. 
At each step, Alice or Bob uses m^ EPR pairs to 
perform the port-based teleportation of a single 
qubit. 

• At the last step. Bob measures each qubit in the 
computational basis, and both he and Alice ex¬ 
change their measurement results. 


There are two quantities of interest to analyze the at¬ 
tacks: the total number of EPR pairs used by Alice and 
Bob, and the fidelity of the final state. Recall indeed 
that port-based teleportation is not perfect, and that the 
teleported state is only an approximation of the input 
state. 

The number M of EPR pairs is given by: 


M = Ml -h M 2 -f • • • -k M2t_i 


2t-l 


mi + mim2 -k • • • -k 


( 6 ) 

(7) 


The fidelity F between the qubit after the 2t — 1 rounds 
of teleportation and the initial qubit is: 


2t-l 




( 8 ) 


Choosing the slightly suboptimal strategy where all 
he mi are taken to be equal to a constant m gives: M = 
-1 ~ and F = (1 — 4/m)^*“^, that is: 


rm 


M 



(9) 


where ryerr = 1 — F is assumed to be small. This estab¬ 
lishes the following result. 
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Theorem 9. Port-based teleportation provides an at- 
taek strategy against Gip{n,t,rierr,Vioss = 0) that requires 
nexp(0(i log(t/r?err))) EPR pairs. 


B. Attack based on the Solovay-Kitaev 
approximation 


We now consider a different attack strategy based 
on the Solovay-Kitaev approximation, which guarantees 
that any single-qubit unitary can be approximated with 
accuracy e by a sequence of unitaries taken from some 
fixed universal set of gates. 

Theorem 10 (Solovay-Kitaev |12]). If G Q SU{d) is a 
universal family of gates (where SU{d) is the group of 
unitary operators in a d-dimensional Hilbert spaee), G 
is closed under inverse and G generates a dense subset 
of SU{d), then for any U G SU{d), £ > 0, there exist 
gi, g 2 , ■ ■., gi € G such that \\U — Ug^^Ug^ ■ ■ ■ Ug^ || < £ o,nd 
I = 0(log‘^ (e))) where c < 3 is a positive constant. 

Let us fix 0 = {H,T} where H is the Hadamard opera¬ 
tor and T is the ^ qubit gate, and note that this set lies in 
the third level of the Clifford hierarchy. The Solovay- 
Kitaev theorem guarantees that for each unitary Ui used 
in the game G'ip(n, t, r^em ??ioss)) there exists another uni¬ 
tary [/', obtained as a product of exactly I gates from 
{il, T, I 2 } (where the identity is chosen so that the size 
I can be chosen to be independent the unitary Ui). By 
decomposing their respective gates Ui and Vi into prod¬ 
ucts of gates in C 3 , Alice and Bob are able to implement 
the attack strategy of Algorithmic 

Theorem 11. There exists an attack strategy for 
Gip(n, t, r?err, ??ioss = 0) requiring EPR 

pairs, where c < 3. 

Proof. According to Solovay-Kitaev theorem, one can ap¬ 
proximate each unitary Ui used in the protocol by an¬ 
other unitary t/' such that \\Ui — U(\\ < using a 

sequence of I = 0(log^(2t/?7err)) gates. Overall, the ap¬ 
proximation quality is given by 


Y[u^v^-Y[u'v' 


i=l i=l 


^ ^err- 


The circuit to implement the gate ni=i has depth 
2tl and uses only gates from C 2 or C 3 . According to The¬ 
orem 1C the number M of EPR pairs needed to perform 
the attack is 


M = 2®*^ = 


( 10 ) 


Performing this attack for each of the n qubits proves the 
theorem. 

□ 


This attack can in fact be improved by noting that the 
gates in G = {H,T} are semi-Clifford (see the appendix 


for a definition). Recall that for a semi-Clifford unitary 
U, there are 2" operators a G Vn such that UaW G Vn- 
This implies that for such gates, the tree described in 
Algorithmic can be taken to have degree 4" —2*^. For n = 
1 , as is the case here, this means that the complexity of 
approximating ni=i UiVi can be reduced to 2 '^** instead 
of 2 ®*‘, leading to an overall quadratic improvement in 
the complexity of the attack. 


C. Attacks for a non-entangled coalition of cheaters 

A possible cheating strategy for non-entangled cheaters 
was considered in m and goes as follows: Alice mea¬ 
sures each qubit Itpi) of the incoming state in a random 
basis, obtains some measurement result corresponding to 
a qubit state lUi) and communicates the classical descrip¬ 
tion of ipi to Bob. When Alice and Bob learn the value of 
the unitary U = Y[l=i 'UiVi, they can simply consider the 
state C/^l'i/'i) and output 0 or 1 , depending on whether 
is closer to |0) or to |1). This strategy gives them 
the correct bit with probability 3/4. Overall, this strat¬ 
egy leads to an expected fraction of correct bits equal 
to 3/4, which means that the protocol Gip(n, t, 1/4,0) is 
not secure against non entangled cheaters. 

If Vioss > 0 , that is if losses are tolerated, then Alice 
and Bob can apply the same technique and return a value 
only if max{|(0|[/I|'i/’i)p, |(0|t7f is large enough. A 

similar analysis as in [TB] shows that if Alice and Bob 
only return a value for a fraction 1 — Tyioss of the qubits, 
then their error rate is (1 — r?ioss)/4. This shows that 
non entangled cheaters have a winning strategy as soon 
as T^err + Vloss/^ > 1/4. 

We leave as an open question whether there exist 
subexponential strategies allowing the cheaters to win the 
game with non negligible probability when /yerr+? 7 ioss /4 < 
1/4 — £ for some small £ > 0. 


VI. LOSS-TOLERANT PROTOCOLS 

In general, the strategies consisting in measuring the 
state in a random basis allow the cheaters to win a con¬ 
stant fraction of the n “rounds” of a game. This is prob¬ 
lematic because it seems that a honest prover cannot do 
much better as soon as the quantum channel from the 
verifiers is imperfect, either lossy or noisy. As a conse¬ 
quence, it would appear that position verification is not 
robust against losses or noise (see [TB] for possible trade¬ 
offs between loss and noise). Fortunately, this conclusion 
is a little bit too pessimistic. 

For instance, the Interleaved Product protocol can be 
straightforwardly modified to be made loss-tolerant, pro¬ 
vided that the prover has access to a good quantum mem¬ 
ory. The crucial point to note here is that this protocol 
appears to remain secure even if the quantum state is 
distributed in advance compared to the classical infor¬ 
mation required to decide in which basis to measure the 
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state or to which verifier it should be forwarded. From 
this observation, we propose the following modification 
of the Interleaved Product protocol: 

In addition to the verifiers, there is a central “bank” of 
quantum states available to the proven. This bank (whose 
role can be played by the verifiers) distributes quantum 
states, along with some identification number, to inter¬ 
ested parties. The value of the states is not revealed to the 
client but the verifiers have access to a complete listing 
of pairs: (state ID, state value). When a proven wants 
to authenticate her position thanks to a position verifica¬ 
tion protocol, she should therefore obtain a quantum state 
from the bank, put it in a quantum memory, and then 
inform the verifiers of the state ID. Then, the verifiers 
can apply the usual protocol, with the exception that the 
state \ijj) does not need to be distributed since the game is 
played with the state the proven obtained from the bank. 

It seems to us that this modified protocol remains 
as secure as the original Interleaved Product protocol. 
More precisely, we could not think of any attack working 
against the modified version that would not also work 
against the original version. 

The advantage of this modified version is that the 
quantum channel between the verifiers and the prover 
is replaced by the quantum memory of the prover. This 
could become quite advantageous in a scenario where the 
physical distance between the verifiers and the prover is 
large, meaning that fiber optics communication would 
lead to high losses, provided that the prover has access 
to a good quantum memory. While the current state-of- 
the-art on quantum memories (see for instance |23| for 
a recent review) is certainly not sufficient to implement 
this modified version of the protocol, there are no reason 
to doubt that high fidelity quantum memories with long 


coherence time will not become available in the future. 


VII. DISCUSSION & CONCLUSION 

In this paper we have first studied a general family of 
attack strategies against position based quantum cryp¬ 
tography. In particular, we have established a connec¬ 
tion between several well studied quantum information 
processing tasks and position based quantum cryptog¬ 
raphy. It was previously known that there exists some 
efficient attack when the verifiers choose the challenge 
unitary from Clifford group. Here, we showed that this 
remains true if the unitaries lie in a low level of the Clif¬ 
ford hierarchy. This result connects notions relevant in 
fault-tolerant quantum computing with the attack com¬ 
plexity of position based quantum cryptography. 

Then, we have introduced a very practical position- 
verification scheme, the Interleaved Product protocol, 
which appears to be immune to these attacks and dis¬ 
plays the further advantage of being loss-tolerant in a 
scenario where the quantum state is distributed indepen¬ 
dently from the classical challenge. 
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Appendix A: Technical tools 

In this appendix, we review some technical notion used 
in the rest of the paper: the Clifford Hierarchy, telepor¬ 
tation gates, semi-Clifford gates and port-based telepor¬ 
tation. 


1. The Clifford Hierarchy 

The Clifford Hierarchy introduced in |25| is an infi¬ 
nite hierarchy of sets Ci(n) C C^in) C • • • C Ck{n) ■ ■ ■ 
of n-qubit unitaries where Ci(n) = Vn corresponds to 
the Pauli group (on n qubits), and the higher levels are 
defined recursively by: 

U e Ck+i(n) if and only if UaU"' € C'fc(n) for all a € Ci{n). 

When n is clear from context, we simply write Ck instead 
of Ck{n) for the level of the Clifford hierarchy for n- 
qubit gates. It should be noted that the first two levels 
of the hierarchy are groups, namely the Pauli and the 
Clifford groups, whereas none of the higher levels are 
groups. 

The gates from Ci and C 2 can be “easily” implemented 
fault tolerantly [3^. However, it is well known that they 
do not form a universal set for quantum computation. 
One therefore requires at least one gate from to obtain 
a universal set of gates. Not surprisingly, gates from C 3 
or higher levels are usually much harder to implement 
fault-tolerantly. 

2. Teleportation Gates 

Teleportation gates are a tool introduced by Gottes¬ 
man and Chuang |25| to implement a unitary operator 
U on any state provided that one can apply it to a spe¬ 
cial state. In particular, teleportation and the ability 
to perform single qubit operators are sufficient to obtain 
(fault-tolerant) universal quantum computation. 

The main idea relies on the fact that if one uses the 
state (J 0 C/)|<i)''") instead of = :^(|00) -I- |11)) to 
teleport a quantum state ['(/') then the teleported state 
will be of the form I7|'0) (up to some Pauli correction). 

To implement an n-qubit quantum gate U G C 3 , one 
first prepares the state |4'y) = (/0 C/)|$+)®”. Let \ijj) 
be an unknown state on which U has to be applied. Then 
taking l"^) and performing a Bell basis measurement on 
lip) and on the first register of ['I']}) leaves n qubits in the 
state IV^out) = URlijj) = R^U\ip), where the correction 
i? e Cl is a Pauli operator and R^ = URW S C2. Since 
R^ G C2, its inverse can easily be implemented, thus 
giving the state Ultp). Hence, using only n EPR pairs, 
one can implement any n-qubit quantum gate from C3 
provided that the state can be prepared efficiently. 

If U belongs to some higher level Ck with fc > 3 of 
the Clifford hierarchy, then one can apply the technique 
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outlined above iteratively for k — 2 steps. Indeed, in 
that case, the correction belongs to Ck-i- It should 
be clear that higher levels of the hierarchy require more 
teleportation steps and Bell measurements. 

3. Semi-Clifford Gates 

Semi-Clifford gates are another special type of gates 
with different structural properties than the gates in Clif¬ 
ford hierarchy. The concept of semi-Clifford gates was 
first introduced for the single-qubit case by D. Gross and 
M. Van den Nest in and generalized to n-qubit states 
by Zeng et al in |28| . 

Definition 12. An n-qubit unitary operation is called 
semi-Clifford if it sends by conjugation at least one max¬ 
imal abelian subgroup of Vn to another maximal abelian 
subgroup ofVn- 

In particular, if U is an n-qubit semi-Clifford opera¬ 
tion, then there must exist at least one maximal abelian 
subgroup G of such that UGW is another maximal 
abelian subgroup of Vn- While the general structure of 
the semi-Clifford gates is not yet completely understood 
for arbitrary n, we have a characterization for n = 1, 2 
and a partial characterization for n = 3. 

Theorem 13 (from |1S]). The gates in Gfe(l),G/c(2) are 
semi-Clifford for all k. For n = 3, all the gates in CsiS) 
are semi-Clifford. 


In our work, semi-Clifford gates will be of interest as 
they allow the cheaters to perform more efficient attack 
strategies for the second family of protocols. 


4. Port-based teleportation 

Port-based teleportation is a specific teleportation 
scheme introduced in m, that allows Alice to teleport 
an arbitrary quantum state to Bob, using many EPR 
pairs, called ports. After Alice’s measurement on her 
state and her half of the EPR pairs, the state is tele¬ 
ported (approximately) to one of Bob’s port, known to 
Alice. Alice simply sends this classical information to 
Bob, who only needs to trace out the other ports to re¬ 
cover Alice’s state. The main feature of this teleporta¬ 
tion scheme is that apart from tracing out some registers. 
Bob needs not apply any correction to the state. The fi¬ 
delity Epd'k'"), 14'°”*)) between Alice’s initial state and 
Bob’s final state using port-based teleportation depends 
on both the number N of EPR pairs consumed in the 
scheme and the dimension d of Alice’s state. The follow¬ 
ing lower-bound was established in |29| . 

Lemma 14 (from |29jl. 

^^(|^in)j^out))>i_^^ (Al) 


